Passwords are still the way most organizations allow consumers to access their sites but few firms have secure password policies.

That’s one of the lessons that can be gleaned from a recent survey of 48 popular sites including Amazon, Netflix and Uber conducted by Dashlane, a maker of password managers. The vendor looked at 37 popular consumer and 11 enterprise websites against five password security criteria, such as whether the website require users to have passwords that are 8 or more characters, if it limits the number of wrong login attempts and supports two-factor authentication.

The findings:

–46 per cent of consumers sites and 36 per cent of enterprise sites had what Dashlane considers lax policies;

–only three sites — GoDaddy, Stripe and QuickBooks — had perfect scores;

– researchers were able to create passwords using nothing but the lowercase letter “a” on several sites including Amazon, Dropbox, Google, Instagram, LinkedIn, Netflix, Spotify, Uber, and Venmo;

–six websites don’t have policies to prevent brute-force attacks, including Apple, Dropbox, Google, Twitter, Venmo, and Walmart;

–researchers successfully an account on Netflix and Spotify using “aaaa”.

At least one vendor was miffed.  “This report reflects an unsophisticated understanding of account security and authentication,”  Melanie Ensign, head of security and privacy communications at Uber, told SC Magazine. “Experts agree that the most important thing about your password is that it’s unique to you and not used on any other accounts.”  She also said that Uber and other tech companies automatically employ risk-based authentication solutions that leverage machine learning techniques to protect user accounts.

While users have the obligation to create safe and original passwords for every site they visit, CISOs are responsbile for ensuring the failings of users can’t be used as an easy gateway onto the network. Yet too many organizations are vulnerable to brute force attacks. The latest account comes from a Forrester Research analyst who used the tactic to demonstrate to a Hollywood entertainment company how easy it was to bypass its defences.

Dashlane says CISOs ought to

• make 8-character passwords the minimum
• require alphanumeric & case-sensitive passwords
• orovide a meter or color-coded bar to confirm password length and strength
• send an email to users when passwords are changed
• black the most common passwords found on the web
• consider instituting an account lockout policy to thwart brute-force attacks
• support 2-factor authentication

Sure Dashlane has an interest in this: Password managers make it easy for users to keep control of passwords. They’re also a possible single point of failure.

But that doesn’t mean corporate execs can’t demand that internal policies be tightened.